Cyber-Criminals Revive Pernicious GameOver Zeus Malware

Five weeks after a global takedown of the Gameover Zeus botnet by law enforcement agencies in 11 countries - including Europol, the FBI and the UK's National Cyber Crime Unit - cybercriminals have begun to resurrect the pernicious malware.

At the time of the takedown, the UK's National Crime Agency issued a stark warning to the public update their computers within two weeks or potentially face a "powerful computer attack" when Gameover comes back online.

While it might have taken a little longer than expected, the experts at security company Malcovery discovered a modified version of the Gameover malware being used in a new spam email campaign on Thursday.

The company found that the malware attached to these phishing emails shared around 90% of its code with Gameover but used a new way of communicating with the criminals using it.

While the original Gameover botnet which was crippled last month used a peer-to-peer network to avoid detection, the new version of Gameover known as fast-flux hosting, which security journalist Brian Krebs said "lets botnets hide phishing and malware delivery sites behind an ever-changing network of compromised systems acting as proxies, in a bid to make the botnet more resilient to takedowns."

Locked down

The new version does however use the same Domain Generation Algorithm (DGA) system which was used in the original and which is a system to allow a criminal to regain access to his botnet if normal systems fail.

While the new version of Gameover strikes a strong resemblance to the original, the FBI has confirmed to Malcovery that the original Gameover Zeus botnet is still "locked down".

In a blogpost by Malcovery's Brendan Griffin and Gary Warner, the company said: "This discovery indicates that the criminals responsible for GameOver's distribution do not intend to give up on this botnet even after suffering one of the most expansive botnet takeovers/takedowns in history."

Evgeniy Mikhailovich Bogachev

The FBI estimate that the Gameover Zeus malware is responsible for the theft of up to $100 million (£58m) from bank accounts around the world. The US Justice Department has also identified 30-year-old Russian Evgeniy Mikhailovich Bogchev (aka Slavik) as the person responsible for creating the Zeus Trojan - with the FBI adding him to its Most Wanted list with a reward on offer for information that leads to his arrest.

A two-year FBI investigation revealed that since 2011 Bogachev ran a tightly knit group of cybercriminals based primarily in Russia and Ukraine who are responsible for distributing Gameover and the pernicious Cryptolocker ransomware.

Speaking about the appearance of the new version of Gameover, Tom Cross, director of security research at Lancope said:

"This new variant uses different command and control domains than the one that law enforcement targeted last month. This development was predicted by the law enforcement agencies and researchers involved in the initial botnet takedown, and it indicates that the operators of this botnet intend to continue to engage in this sort of computer crime."